"Anti-virus is no good" - discuss

[anuseems]

Security professionals, analysts, journalists and people in the pub: there's a vocal minority in all those groups which likes to be heard to say, "Anti-virus isn't good enough for today's threats."

They don't need to propose an alternative in order to get a look-in: the claim itself is bold enough to muster plenty of attention.

But is it true? Are you wasting your time with a modern anti-virus?

Is the anti-virus glass really half-empty?

Or is this sort of dismissive criticism the result of the ill-informed presumptions made by a few influential observers whose understanding of "anti-virus" is rooted back in 1986?

Read further by Paul Ducklin, in which he puts the case for modern anti-virus software, argues for defence-in-depth, and urges us all to stand together to fight cybercriminality, rather than taking petty pot-shots at each other.

"Anti-virus is no good" - discuss.

    Security professionals, analysts, journalists and people in the pub: there's a vocal minority in all those groups which likes to be heard to say, "Anti-virus isn't good enough for today's threats." They don't need to propose an alternative in order to get a look-in: the claim itself is bold enough to muster plenty of attention. But is it true? Are you wasting your time with a modern anti-virus? Paul Ducklin has his say.

Introduction

When computer viruses first became a problem, some time in the mid 1980s, a common early response was that viruses themselves didn't even exist.

They were nothing but an urban myth - like "alligators in the New York sewers," according to Peter Norton in 1988. (By 1990, he was, of course, selling Norton Anti-Virus under his own brand.)

But in about 1989 or 1990, when the first polymorphic (self-changing) viruses appeared, we started hearing that "anti-virus is not good enough to handle today's threats".

This is a mantra which some security professionals feel compelled to trot out to this day.

In most cases I've seen, this dismissive condemnation of anti-virus technology is based on wishful thinking: the assumption that anti-virus is explicitly about individual signatures for known malware samples, and thus that any anti-virus is, by design, reactive.

Of course, decent anti-virus products haven't relied on known-malware signatures since about 1989 or 1990, because polymorphic viruses made it obvious that a list of every so-far-known infectious file would not be enough, even if your goal was to detect existing virus families only.

Viruses and Trojan Horses

In truth, a modern anti-virus deals with viruses only occasionally.

We still see self-replicating threats - true viruses, such as Conficker and Linux/Rst-B - but most modern malware is of the one-shot variety.

These are Trojan Horses: inconspicuously malevolent programs, most commonly delivered over the internet, and designed to co-opt your computer for criminal purposes, such as sending spam, stealing passwords, attacking third parties or holding your data to ransom.

Thanks to the magic of the cloud, crooks can generate and deliver a brand-new sample of a single Trojan to each potential victim, using what is called server-side polymorphism. Every sample is different, just as in a polymorphic virus, but the polymorphic engine - the program code which performs the sample-by-sample permutation - is secret.

In a world in which every sample of a new malware family might be unique, an anti-virus which could only deal with previously-seen samples would, indeed, be of little use.

Fortunately, that's not how good anti-virus software works.

To be sure, exact identification of specific objects can be useful - enumerating commonly-seen known-bad components of various malware families, for instance, helps with blacklisting (aka blocklisting); maintaining a list of known-good operating system libraries allows for whitelisting (aka allowlisting).

But decent anti-virus software isn't really just plain old anti-virus any more. It isn't just an enormous blocklist of checksums.

More than just anti-virus

A good anti-virus will analyse the potential behaviour of a file - both statically, before it is used, for true preventative blocking, and dynamically, after it is loaded, for a second chance at heading off malicious behaviour.

A good anti-virus solution will automatically monitor and control newly-arrived files (and by all possible routes, from web downloads to inserted USB keys); the behaviour of newly-started processes; the network traffic associated with running programs; and more.

A good anti-virus will not only allow you to detect and block malicious programs, but also allow you to control legitimate-yet-risky software, such as outdated browsers. It will help you to identify and eliminate dangerous web browsing, both by URL and by analysing returned content. It will spot unpatched or vulnerable software, as well as potential files and network traffic which might trigger those vulnerabilities.

In fact, a really good anti-virus - which is competent at unravelling complex compound objects such as DOCs, PDFs, HTML pages and more - will help you look not just for malevolent and risky content coming into your organisation but also for confidential or personal content going out. Better yet, it will do this "on-access" or "real time" - heading off risky behaviour before it happens, rather than simply detecting breaches after the fact.

Defence in depth

Where does this leave us in respect of the assertion that "anti-virus is not good enough to handle today's threats?"

In some ways, that statement is a truism. You can apply it to any individual security technology, considered all on its own. For example, you wouldn't rely entirely on a packet-filtering network firewall to protect you from viruses, for example. (Removable media, QED.) You wouldn't rely entirely on a spam filter to stop inbound malicious documents. (Web downloads, QED.) And so on.

Anti-virus isn't a panacea, and if you are faced with a vendor who is trying to sell it as one, I suggest you shop somewhere else.

Nevertheless, anti-virus in its modern form is a jolly useful part of any defence-in-depth strategy.

In particular, a decent endpoint anti-virus is agnostic about the source of a threat - incursions by email, web, USB, P2P etc. are all handled in a similar way. A decent endpoint anti-virus actually keeps watch for much more than just known malware - helping you with patch assessment, exploit prevention, data leakage and risky network traffic, too.

And, most importantly, a decent endpoint anti-virus really helps you to put the Prevention into your multi-layer IPS (Intrusion Prevention System).

Stand together and fight!

The truth is that no-one in computer security, except perhaps the crooks themselves, can predict what tomorrow's malware, tomorrow's dodgy domain names, tomorrow's botnet command and control servers, or tomorrow's illegal money-making scams are going to be.

But we can guess what tomorrow's cybercriminality will be like, if we are well-informed about what has happened so far. (The fancy name for this is "heuristics".)

This, paradoxically, is why the rate of appearance of new malware is increasing.

Not because the crooks are getting smarter, but because today's anti-virus products are making life harder for them.

The cybersecurity glass is not half-empty, as some might like you to think. It is at least half-full, and filling.

We'll fill the glass even faster if the various subsects of the computer security industry stop pointing fingers at each other, and writing off each others' technologies as "no good" without fair cause.

We have a common enemy. Let's stand together and fight that enemy, not each other!

via: http://nakedsecurity...o-good-discuss/

[Ambrocious]

Despite the fact that there are so many different forms of malicious software, it does not mean that we shouldn't have any antivirus at all. It's not just about antivirus either, people need to be informed about the many ways that malicious code can spread, but even this is not enough. Overall, having SOME protection is better than having NO protection.

[Gabben]

We nsaners dont need antivirus cause we are professionals. B)

[ande]

I believe that people in Microsoft are capable of making Windows OS very secure but it just isn't profitable !

If you now look at money that "only" anti-virus companies earn for one year,

and in countries like Czech Republic(i think), where one Anti-Virus Advanced Set (aka AVAST) is/was largest exporter - it is BIG boost to economy !

Of course Microsoft is very connected with this companies in many ways !

Whether Microsoft make their OS secure or not they will still sell it at same rate because Linux have very poor video /media features and is not made for games and is not supported by most software/driver companies, and since Apple is... well, Apple.

And money that Microsoft and resellers earn by recommending and/or preinstalling AV softwares on PC (remember 91' or 92' when Microsoft was sued by Apple for preinstalling OS and not giving people choice -Bill Gate had to resign as CEO...).

At these days I can see large number of people, except AV, searching for good firewall and lot of other features that they actually or don't need or have already.

For example Windows Vista and 7 Firewall ARE very good, and I know some security experts that rely on it.

Of course that firewall need some tweaks to be 10/10, but Microsoft never gave any kind of "user manual" to setup firewall or didn't bother to add wizard to easily setup firewall by users needs and network topology in environment where PC is.

Anti-virus were never "good", but for majority it is necessity to have AV, because majority is faced with threats that are in most AV databases and will prevent most of threats (TBH there is big number of people that visit only "safe" pages and don't deal with greyhat/blackhat sites and softwares - crack, patch, relatively unknown software/pua, software that is able to destroy PC like RAT, etc ).

Example of ideal malware :

There will always be 0-day FUD rogue software and there is no AV that can detect it.

In that situation BB/HIPS/cloud comes in handy, but its behavior seems legit so BB let is run, It has digital signature so HIPS let it run, with all that facts we will let it run in sandbox.After some time we notice that software does all we expects from it and we let it run out of the sandbox. We now have software that seems legit and perform all we expect, but after 20 days software asks to perform some updates and we allow it

Now if software needs to preform update it first need to sent request, lets say that this software is AIO tool for maintaining windows, and as one one options it contains something like HJT and scans your OS.

Software then upload collected informations and then hacker gained all info of your OS and files/data on HDD's and security you use.

Now at this moment LARGE number of hackers work to disable protection of latest security solutions, so that they could use it for private purpose of gaining money and informations, also it is very easy to make software that contains identical GUI as NOD32 and it is empty shell that do nothing just imitating NOD32 and telling you that your PC is protected.

If he now think that you are worth of hacking he will probably buy (if it exist, or wait until it is made/found) that exploit and disable your protection.

After that he can "update" advanced RAT that can cover traces in taskmanager and run silently in background of your PC.

In his best interest is not to give you any reason to think that you are infected, so your OS will run fast, you will do what ever you want, and you will think "I am protected" because some good AV or IS or something different is protecting your computer and it is first on every AV rating site.

And don't forger that after it disable AV it will probably install some keylogger so it can steal your passwords and hope to get your Bank or PayPal account info.

He know your IP, he know your ISP, he probably know your address !

He know your habits, he have all your passwords and all your data.

Now you have become bot - his tool !

He will not let you jet, he will use you to attack other computers/websites and you can easily end in jail !

After all that lets say that hacked doesn't need your computer and lets say he want to remove all traces, then rogue will contain or "update" some module or other software that will delete/shredd software and fill memory with junk.

(Look at deletion like pointer, you define pointer on data, deletion is just saying this pointer doesnt point on that data anymore and memmory is free, but data is there in memmory and it can be back traced with latest data restore tools so data needs to be overrided with "something" and then pointers released - this in not how exactly in reallity it is, but it will give you some preception because concept is same).

Software is deleted, and only letf is some module/script or some executable that can't harm PC and even that can be removed.

Next day FBI in in your house for attacking some gov websites.

If they can't find any traces of RAT or rogue your are going to spend some years in "cornhole house".

Even if they find and prove that your PC was infected, there is NO way you can prove that (like most hackers do) you did not install it so that you would have an alibi.

0-days malware that you can see on sites for testing protection are NOT this type of malware,

people that make these malwares are very rich and don't give a f*ck about you,

and they don't spread they creations, they use it only for private purpose and/or sell them on black market (2 years ago simple NOD32 exploit that allowed to autoupdate/autochange license once its blacklisted was sold for $60, how much do you think would cost exploit that would disable UAC ? lol $$$).

So you see, ideal protection and ideal attack => you will be hacked !

Because most of people ARE NOT targeted by "good hackers" and it is hard to be target if you visit legit sites and use legit software and have decent anti-virus and don't visit darkhack sites/forums/irc's without good knowledge!

So just relax, if you are not targeted like Bill Gates or Mark Zuckerberg, decent anti-virus is only protection you need and some brain also :P !

[anuseems]

Its always good to have an upto date AV on your computer an automatically jhave updates enabled for all the latest definitions e.t.c

But i tell people all the time "just because your antivirus is uptodate and says you have no virus's doesnt meen you dont".

There are several very active public hacking sites that have crypters readily available to purchase and even offer a money back gurantee that if your virus gets detected you get your money back.

A crypter for people who dont know (in short) is a rogue piece of software that protects/cloaks mainly .exe files from being detected by AV's. Some even scan your files every hour with 37 common AV's and update it as soon as its dectected, this is usually an optional extra.

The common hacker term for a undetectable virus is~: (FUD) which is short for "fully undetectable".

These crypters start from as cheap as $10, and some users offer single crypts for as little as $0.50

This is has been around for years now, and the only reason i download only from trusted sites, and always run applications on a virtual machine running AV although this still is not 100% safe.

You're not wasting your time with a modern anti-virus, but you also aren't as well protected as you once were. I have to clean up computers with fully updated anti-virus products quite often due to nasty malware infections. A few years ago it wasn't so bad, but times have changed indeed.

[Ambrocious]

We nsaners dont need antivirus cause we are professionals. B)

FALSE! LOL!

[tezza]

We nsaners dont need antivirus cause we are professionals. B)

:)

[DesiPirate]

We nsaners dont need antivirus cause we are professionals. B)

:nono: I dont agree.I really need one.

[Tweety.Abd]

We nsaners dont need antivirus cause we are professionals. B)

:)

The common sense is outdated. Common sense can detect, prevent but cannot remove malwares.

[morteza]

Antivirus software is a professional person.This person with u can be a best pair for security of your OS.Don't worry,listen to me :

If you don't want,your OS was not infected. :)